How to dump memory (/dev/mem)?

General questions about the FreeBSD operating system. Ask here if your question does not fit elsewhere.

How to dump memory (/dev/mem)?

Postby honk » 28 Dec 2008, 01:27

Hi,

can someone tell me why memdump (from /usr/ports/sysutils) produces 4GByte files on a system with 2GB RAM (physically, no swap configured). Also what's the difference between "dd if=/dev/mem..." /dev/kmem and memdump?

# dmesg | grep memor
real memory = 2104164352 (2006 MB)
avail memory = 2053550080 (1958 MB)

I want to read memory content for forensic purposes. Useful informations on this topic appreciated. Thanks a lot in advance.

hnk
honk
Member
 
Posts: 134
Joined: 03 Dec 2008, 00:09

Postby graudeejs » 28 Dec 2008, 10:46

a stupid way to do it could be cat

But why do you want that?
Are you seriously going to analyze 2G binary file full or crap?
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby kamikaze » 28 Dec 2008, 10:50

I suppose that tool tries to safe the whole available memory space.
sysutils/bsdadminscripts: binary package maintenance, library integrity checking, ...
sysutils/automounter: [man=8]amd[/man] based automounting without HAL
contact: kamikaze@bsdforen.de

Disclaimer: My posts represent my perception. Errors and incompleteness are to be expected, I deny any responsibility to know everything.
User avatar
kamikaze
Member
 
Posts: 366
Joined: 17 Nov 2008, 07:34
Location: /earth/europe/germany

Postby honk » 31 Dec 2008, 16:43

The reason for me to look at /dev/mem (or /dev/kmem, don't understand the difference currently) is this:

http://events.ccc.de/congress/2008/Fahrplan/events/2922.en.html

I'm using GELI for full disk encryption and I tought, that finding the passphrase in memory isn't that easy:

user@fbsd:/data# memdump > mem.dump
memdump: Stopped on OFFT_TYPE wraparound after 0xfffff000

user@fbsd:/data# strings mem.dump | grep passphrase
Dec 31 00:33:29 prod kernel: Enter passphrase for ad4: verysecretpassphrase


I'm not really happy with that. Is there a reason to find such messages (like "attention here comes the password") in memory?

Now I'm interested in other things which can be found in the memory. Maybe there are some other peoples here with knowledge in forensics.

cheers,
Honk
honk
Member
 
Posts: 134
Joined: 03 Dec 2008, 00:09

Postby graudeejs » 31 Dec 2008, 16:50

Hackers Disassembling Uncovered by Kriss Kasperky
http://softpro.stores.yahoo.net/1-931769-64-8.html

also
http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/

they bough ain't directly related, but gives some interesting ideas about what you're interested (i think)

anyway posting them wont hurt
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby Djn » 01 Jan 2009, 22:20

Of course, if someone has read access to all your memory, they can probably read any mounted volumes as well ...
Djn
Member
 
Posts: 392
Joined: 19 Nov 2008, 14:21
Location: Horten, Norway


Return to General

Who is online

Users browsing this forum: TeoEnMing, yayix and 0 guests